Yummba Webinject Tools Crimeware Threat

About This Presentation

Title:

Description:

Number of Views:19

Slides: 11

Provided by: AkamaiAkamai

Transcript and Presenter's Notes

Title: Yummba Webinject Tools Crimeware Threat

1
Yummba Webinject Tools

2
Overview Yummba Webinject Tools

New webinject tool by Russian individual or group
using the name Yummba
A webinject is a framework that allows attackers
to insert custom elements into web pages
Appears legitimate to end users
Incorporated into malware kits such as Zeus,
SpyEye and KINS
Used to collect and exploit customer data
Stolen credentials allow attackers to bypass
security measures
Webinjects crafted by Yummba are robust
Utilizes the Automatic Transfer System
(ATSEngine)
More complete and dynamic attacks and a more
advanced feature set

3
Sample Webinject

A webinject lays or embeds information in a
legitimate webpage that misleads the customer
into entering data
Data used for malicious purposes, such as
identity theft and banking/credit card fraud.
Often customized to match a sites look and feel

4
Webinject Targets

PLXsert identified more than 100 companies with
active injects available
The most likely targeted companies are larger
financial institutions in North America and
Europe
Attacks-for-sale come with a wide range of
features
Simple reporting of account information
Simple credential theft
Automated wire transfers to an attacker-controlled
account
Attack targets include banking and financial
services sites, multiple ecommerce sites and
social media platforms

5
Code Analysis and the ATSEngine

Custom Yummba webinjects are intended to be used
with the ATSEngine
Allows malicious actors to update their
configurations easily
The code prepares the ATSEngine to scrape and
gather users banking session information
Hidden iframes are used to exfiltrate the data
Data is sent directly to the malicious actors
command and control (CC or C2) server without the
users knowledge
Other functions attempt to gather additional user
account information

6
How It Works with Zeus

The Zeus framework is a banking trojan crimeware
kit that is often used to harvest banking
credentials
Once a system is compromised by Zeus, malicious
actors have access to a variety of remote
commands, such as installing webinjects
Lab simulations used an infected Zeus bot
configured with webinjects prior to browsing
several websites

During a test in the lab environment, a user
submitted fake credentials that were collected by
the Yummba webinject tool
7
Vulnerability Mitigation

In most cases, a client computer would have been
previously compromised by a Trojan such as the
Zeus crimeware kit
Mitigation efforts include
User awareness
Antivirus software
System hardening
Deep packet inspection
Community cleanup
Get more detail mitigation techniques in the full
Yummba Webinjects Tool threat advisory

8
Conclusion

The underground crimeware ecosystem will continue
to target financial institutions and streamline
illegitimate operations
Malicious actors will continue to develop
payloads like these, in addition to DDoS botnet
building and monetization
Easy-to-use crimeware kits have simplified the
setup of criminal shops that can generate profits
very quickly
International cooperation, community cleanup and
a preemptive security mindset are needed to
prevent the further expansion of this profitable
criminal market

9
Threat Advisory Yummba Webinject

Download the Yummba Webinject Tools threat
advisory at www.stateoftheinternet.com/yummba
This high risk crimeware threat advisory
includes
How webinjects work
Co-resident malware, such as Zeus and ATSengine
Potential banking targets
Analysis of the code
Types of data stolen
Vulnerability mitigation

10
About stateoftheinternet.com

Write a Comment

User Comments (0)